diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index df91673645..5eab31a497 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -29,11 +29,11 @@ jobs:
     runs-on: ${{ matrix.os }}
     continue-on-error: ${{ matrix.experimental }}
     steps:
-      # We run the build twice for each supported JDK: once against the
-      # original Error Prone release, using only Error Prone checks available
-      # on Maven Central, and once against the Picnic Error Prone fork,
-      # additionally enabling all checks defined in this project and any Error
-      # Prone checks available only from other artifact repositories.
+        # We run the build twice for each supported JDK: once against the
+        # original Error Prone release, using only Error Prone checks available
+        # on Maven Central, and once against the Picnic Error Prone fork,
+        # additionally enabling all checks defined in this project and any
+        # Error Prone checks available only from other artifact repositories.
       - name: Check out code
         uses: actions/checkout@v3.1.0
       - name: Set up JDK
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index bd3cf9554c..671c61f0d5 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,3 +1,7 @@
+# Analyzes the code base using Github's default CodeQL query database.
+# Identified issues are registered with GitHub's code scanning dashboard. When
+# a pull request is analyzed, any offending lines are annotated. See
+# https://codeql.github.com for details.
 name: CodeQL analysis
 on:
   pull_request:
@@ -19,6 +23,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3.1.0
+        with:
+          persist-credentials: false
       - name: Set up JDK
         uses: actions/setup-java@v3.8.0
         with: